> > If anyone has any interest it is at:
> > http://www.vawter.com/urlhack.cfm
>
> Quick question, the dropping of tables seems very destructive, and of
> little point other than trashing a site.
>
> Is it possible to construct more "useful" queries to run piggy back,
> i.e. the SQL to display all the tables in a database, the fields in a
> table, or the data in a field(s)? I'm not asking for examples, just if
> it's theoretically possible.
>
> Having the data deleted is easy to recover from (if not careless),
> having someone view your data, or database construction would seem to
> be a lot worse.
Sure, it's possible to construct more useful strings, although usefulness
here is going to be in the eye of the beholder. For example, if you knew a
site was running against SQL Server, you might be able to execute the
xp_cmdshell stored procedure, which would get you a command prompt on the
database server, essentially. If you could do this, you could conceivably
have that command shell retrieve a file from an FTP server and run that
file. That might be useful, if your goal is to compromise a remote database
server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
